Analysis
-
max time kernel
174s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 06:25
Behavioral task
behavioral1
Sample
规范招商引资统计工作通知/兰洽会项目表样.xls
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
规范招商引资统计工作通知/兰洽会项目表样.xls
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
规范招商引资统计工作通知/关于进一步规范招商引资统计工作的通知(下发).doc
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
规范招商引资统计工作通知/关于进一步规范招商引资统计工作的通知(下发).doc
Resource
win10v2004-20221111-en
Behavioral task
behavioral5
Sample
规范招商引资统计工作通知/月报表.xls
Resource
win7-20220901-en
Behavioral task
behavioral6
Sample
规范招商引资统计工作通知/月报表.xls
Resource
win10v2004-20221111-en
General
-
Target
规范招商引资统计工作通知/关于进一步规范招商引资统计工作的通知(下发).doc
-
Size
35KB
-
MD5
4afc10e7ead286b1e7b285d72e8f0fab
-
SHA1
fd23bf6736ff66559a1064767995b00ee512b430
-
SHA256
d9b62b044b09de6239f6f8ddd9cff0b896e18affe579dae37ea2b06bc9c78a8d
-
SHA512
c21b68b4a785bba1a6e3dd1904469a4538c5aa17b898d8551bf5f6d69b2d68323dff72488480bb801d03c90dbc77fd317714b0e1729b46141441d386d01db459
-
SSDEEP
384:QB+6/ESp0kXFqknJR6fuI/lanyd4kQfCp9VYeeReyYvCgYMc+B7:QB+bSp0kXRnJsfuI/lMI4kQfCrco7
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4632 WINWORD.EXE 4632 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
WINWORD.EXEpid process 4632 WINWORD.EXE 4632 WINWORD.EXE 4632 WINWORD.EXE 4632 WINWORD.EXE 4632 WINWORD.EXE 4632 WINWORD.EXE 4632 WINWORD.EXE 4632 WINWORD.EXE 4632 WINWORD.EXE 4632 WINWORD.EXE 4632 WINWORD.EXE 4632 WINWORD.EXE 4632 WINWORD.EXE 4632 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\规范招商引资统计工作通知\关于进一步规范招商引资统计工作的通知(下发).doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4632-132-0x00007FF84DC90000-0x00007FF84DCA0000-memory.dmpFilesize
64KB
-
memory/4632-133-0x00007FF84DC90000-0x00007FF84DCA0000-memory.dmpFilesize
64KB
-
memory/4632-134-0x00007FF84DC90000-0x00007FF84DCA0000-memory.dmpFilesize
64KB
-
memory/4632-135-0x00007FF84DC90000-0x00007FF84DCA0000-memory.dmpFilesize
64KB
-
memory/4632-136-0x00007FF84DC90000-0x00007FF84DCA0000-memory.dmpFilesize
64KB
-
memory/4632-137-0x00007FF84B9E0000-0x00007FF84B9F0000-memory.dmpFilesize
64KB
-
memory/4632-138-0x00007FF84B9E0000-0x00007FF84B9F0000-memory.dmpFilesize
64KB
-
memory/4632-140-0x00007FF84DC90000-0x00007FF84DCA0000-memory.dmpFilesize
64KB
-
memory/4632-141-0x00007FF84DC90000-0x00007FF84DCA0000-memory.dmpFilesize
64KB
-
memory/4632-142-0x00007FF84DC90000-0x00007FF84DCA0000-memory.dmpFilesize
64KB
-
memory/4632-143-0x00007FF84DC90000-0x00007FF84DCA0000-memory.dmpFilesize
64KB